1 /* 2 * Copyright 2015 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.keystore.cts; 18 19 import android.security.keystore.KeyGenParameterSpec; 20 import android.security.keystore.KeyProperties; 21 import android.test.MoreAsserts; 22 23 import junit.framework.TestCase; 24 25 import java.math.BigInteger; 26 import java.security.spec.AlgorithmParameterSpec; 27 import java.security.spec.ECGenParameterSpec; 28 import java.util.Arrays; 29 import java.util.Date; 30 31 import javax.security.auth.x500.X500Principal; 32 33 public class KeyGenParameterSpecTest extends TestCase { 34 35 private static final X500Principal DEFAULT_CERT_SUBJECT = new X500Principal("CN=fake"); 36 private static final BigInteger DEFAULT_CERT_SERIAL_NUMBER = new BigInteger("1"); 37 private static final Date DEFAULT_CERT_NOT_BEFORE = new Date(0L); // Jan 1 1970 38 private static final Date DEFAULT_CERT_NOT_AFTER = new Date(2461449600000L); // Jan 1 2048 39 40 public void testDefaults() { 41 // Set only the mandatory parameters and assert values returned by getters. 42 43 KeyGenParameterSpec spec = new KeyGenParameterSpec.Builder( 44 "arbitrary", KeyProperties.PURPOSE_ENCRYPT) 45 .build(); 46 47 assertEquals("arbitrary", spec.getKeystoreAlias()); 48 assertEquals(KeyProperties.PURPOSE_ENCRYPT, spec.getPurposes()); 49 assertNull(null, spec.getAlgorithmParameterSpec()); 50 MoreAsserts.assertEmpty(Arrays.asList(spec.getBlockModes())); 51 assertEquals(DEFAULT_CERT_NOT_BEFORE, spec.getCertificateNotBefore()); 52 assertEquals(DEFAULT_CERT_NOT_AFTER, spec.getCertificateNotAfter()); 53 assertEquals(DEFAULT_CERT_SERIAL_NUMBER, spec.getCertificateSerialNumber()); 54 assertEquals(DEFAULT_CERT_SUBJECT, spec.getCertificateSubject()); 55 assertFalse(spec.isDigestsSpecified()); 56 try { 57 spec.getDigests(); 58 fail(); 59 } catch (IllegalStateException expected) {} 60 MoreAsserts.assertEmpty(Arrays.asList(spec.getEncryptionPaddings())); 61 assertEquals(-1, spec.getKeySize()); 62 assertNull(spec.getKeyValidityStart()); 63 assertNull(spec.getKeyValidityForOriginationEnd()); 64 assertNull(spec.getKeyValidityForConsumptionEnd()); 65 assertTrue(spec.isRandomizedEncryptionRequired()); 66 MoreAsserts.assertEmpty(Arrays.asList(spec.getSignaturePaddings())); 67 assertFalse(spec.isUserAuthenticationRequired()); 68 assertEquals(-1, spec.getUserAuthenticationValidityDurationSeconds()); 69 assertFalse(spec.isUnlockedDeviceRequired()); 70 } 71 72 public void testSettersReflectedInGetters() { 73 // Set all parameters to non-default values and then assert that getters reflect that. 74 75 Date certNotBeforeDate = new Date(System.currentTimeMillis()); 76 Date certNotAfterDate = new Date(System.currentTimeMillis() + 12345678); 77 Date keyValidityStartDate = new Date(System.currentTimeMillis() - 2222222); 78 Date keyValidityEndDateForOrigination = new Date(System.currentTimeMillis() + 11111111); 79 Date keyValidityEndDateForConsumption = new Date(System.currentTimeMillis() + 33333333); 80 AlgorithmParameterSpec algSpecificParams = new ECGenParameterSpec("secp256r1"); 81 82 KeyGenParameterSpec spec = new KeyGenParameterSpec.Builder( 83 "arbitrary", KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_ENCRYPT) 84 .setAlgorithmParameterSpec(algSpecificParams) 85 .setBlockModes(KeyProperties.BLOCK_MODE_GCM, KeyProperties.BLOCK_MODE_CBC) 86 .setCertificateNotBefore(certNotBeforeDate) 87 .setCertificateNotAfter(certNotAfterDate) 88 .setCertificateSerialNumber(new BigInteger("13946146")) 89 .setCertificateSubject(new X500Principal("CN=test")) 90 .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA384) 91 .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_OAEP, 92 KeyProperties.ENCRYPTION_PADDING_PKCS7) 93 .setKeySize(1234) 94 .setKeyValidityStart(keyValidityStartDate) 95 .setKeyValidityForOriginationEnd(keyValidityEndDateForOrigination) 96 .setKeyValidityForConsumptionEnd(keyValidityEndDateForConsumption) 97 .setRandomizedEncryptionRequired(false) 98 .setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PSS, 99 KeyProperties.SIGNATURE_PADDING_RSA_PKCS1) 100 .setUserAuthenticationRequired(true) 101 .setUserAuthenticationValidityDurationSeconds(12345) 102 .setUnlockedDeviceRequired(true) 103 .build(); 104 105 assertEquals("arbitrary", spec.getKeystoreAlias()); 106 assertEquals( 107 KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_ENCRYPT, spec.getPurposes()); 108 assertSame(algSpecificParams, spec.getAlgorithmParameterSpec()); 109 MoreAsserts.assertContentsInOrder(Arrays.asList(spec.getBlockModes()), 110 KeyProperties.BLOCK_MODE_GCM, KeyProperties.BLOCK_MODE_CBC); 111 assertEquals(certNotBeforeDate, spec.getCertificateNotBefore()); 112 assertEquals(certNotAfterDate, spec.getCertificateNotAfter()); 113 assertEquals(new BigInteger("13946146"), spec.getCertificateSerialNumber()); 114 assertEquals(new X500Principal("CN=test"), spec.getCertificateSubject()); 115 assertTrue(spec.isDigestsSpecified()); 116 MoreAsserts.assertContentsInOrder(Arrays.asList(spec.getDigests()), 117 KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA384); 118 MoreAsserts.assertContentsInOrder(Arrays.asList(spec.getEncryptionPaddings()), 119 KeyProperties.ENCRYPTION_PADDING_RSA_OAEP, KeyProperties.ENCRYPTION_PADDING_PKCS7); 120 assertEquals(1234, spec.getKeySize()); 121 assertEquals(keyValidityStartDate, spec.getKeyValidityStart()); 122 assertEquals(keyValidityEndDateForOrigination, spec.getKeyValidityForOriginationEnd()); 123 assertEquals(keyValidityEndDateForConsumption, spec.getKeyValidityForConsumptionEnd()); 124 assertFalse(spec.isRandomizedEncryptionRequired()); 125 MoreAsserts.assertContentsInOrder(Arrays.asList(spec.getSignaturePaddings()), 126 KeyProperties.SIGNATURE_PADDING_RSA_PSS, KeyProperties.SIGNATURE_PADDING_RSA_PKCS1); 127 assertTrue(spec.isUserAuthenticationRequired()); 128 assertEquals(12345, spec.getUserAuthenticationValidityDurationSeconds()); 129 assertTrue(spec.isUnlockedDeviceRequired()); 130 } 131 132 public void testNullAliasNotPermitted() { 133 try { 134 new KeyGenParameterSpec.Builder(null, KeyProperties.PURPOSE_ENCRYPT); 135 fail(); 136 } catch (NullPointerException expected) {} 137 } 138 139 public void testEmptyAliasNotPermitted() { 140 try { 141 new KeyGenParameterSpec.Builder("", KeyProperties.PURPOSE_ENCRYPT); 142 fail(); 143 } catch (IllegalArgumentException expected) {} 144 } 145 146 public void testSetKeyValidityEndDateAppliesToBothEndDates() { 147 Date date = new Date(System.currentTimeMillis() + 555555); 148 KeyGenParameterSpec spec = new KeyGenParameterSpec.Builder( 149 "ignore", KeyProperties.PURPOSE_VERIFY) 150 .setKeyValidityEnd(date) 151 .build(); 152 assertEquals(date, spec.getKeyValidityForOriginationEnd()); 153 assertEquals(date, spec.getKeyValidityForConsumptionEnd()); 154 } 155 156 public void testSetUserAuthenticationValidityDurationSecondsValidityCheck() { 157 KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder("alias", 0); 158 try { 159 builder.setUserAuthenticationValidityDurationSeconds(-2); 160 fail(); 161 } catch (IllegalArgumentException expected) {} 162 163 try { 164 builder.setUserAuthenticationValidityDurationSeconds(-100); 165 fail(); 166 } catch (IllegalArgumentException expected) {} 167 168 try { 169 builder.setUserAuthenticationValidityDurationSeconds(Integer.MIN_VALUE); 170 fail(); 171 } catch (IllegalArgumentException expected) {} 172 173 builder.setUserAuthenticationValidityDurationSeconds(-1); 174 builder.setUserAuthenticationValidityDurationSeconds(0); 175 builder.setUserAuthenticationValidityDurationSeconds(1); 176 builder.setUserAuthenticationValidityDurationSeconds(Integer.MAX_VALUE); 177 178 try { 179 builder.setUserAuthenticationValidityDurationSeconds(-2); 180 fail(); 181 } catch (IllegalArgumentException expected) {} 182 } 183 184 public void testImmutabilityViaSetterParams() { 185 // Assert that all mutable parameters provided to setters are copied to ensure that values 186 // returned by getters never change. 187 String[] blockModes = 188 new String[] {KeyProperties.BLOCK_MODE_GCM, KeyProperties.BLOCK_MODE_CBC}; 189 String[] originalBlockModes = blockModes.clone(); 190 Date certNotBeforeDate = new Date(System.currentTimeMillis()); 191 Date originalCertNotBeforeDate = new Date(certNotBeforeDate.getTime()); 192 Date certNotAfterDate = new Date(System.currentTimeMillis() + 12345678); 193 Date originalCertNotAfterDate = new Date(certNotAfterDate.getTime()); 194 Date keyValidityStartDate = new Date(System.currentTimeMillis() - 2222222); 195 Date originalKeyValidityStartDate = new Date(keyValidityStartDate.getTime()); 196 Date keyValidityEndDateForOrigination = new Date(System.currentTimeMillis() + 11111111); 197 Date originalKeyValidityEndDateForOrigination = 198 new Date(keyValidityEndDateForOrigination.getTime()); 199 Date keyValidityEndDateForConsumption = new Date(System.currentTimeMillis() + 33333333); 200 Date originalKeyValidityEndDateForConsumption = 201 new Date(keyValidityEndDateForConsumption.getTime()); 202 String[] digests = new String[] {KeyProperties.DIGEST_MD5, KeyProperties.DIGEST_SHA512}; 203 String[] originalDigests = digests.clone(); 204 String[] encryptionPaddings = new String[] { 205 KeyProperties.ENCRYPTION_PADDING_RSA_OAEP, KeyProperties.ENCRYPTION_PADDING_PKCS7}; 206 String[] originalEncryptionPaddings = encryptionPaddings.clone(); 207 String[] signaturePaddings = new String[] { 208 KeyProperties.SIGNATURE_PADDING_RSA_PSS, KeyProperties.SIGNATURE_PADDING_RSA_PKCS1}; 209 String[] originalSignaturePaddings = signaturePaddings.clone(); 210 211 KeyGenParameterSpec spec = new KeyGenParameterSpec.Builder( 212 "arbitrary", KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_ENCRYPT) 213 .setBlockModes(blockModes) 214 .setCertificateNotBefore(certNotBeforeDate) 215 .setCertificateNotAfter(certNotAfterDate) 216 .setDigests(digests) 217 .setEncryptionPaddings(encryptionPaddings) 218 .setKeyValidityStart(keyValidityStartDate) 219 .setKeyValidityForOriginationEnd(keyValidityEndDateForOrigination) 220 .setKeyValidityForConsumptionEnd(keyValidityEndDateForConsumption) 221 .setSignaturePaddings(signaturePaddings) 222 .build(); 223 224 assertEquals(Arrays.asList(originalBlockModes), Arrays.asList(spec.getBlockModes())); 225 blockModes[0] = null; 226 assertEquals(Arrays.asList(originalBlockModes), Arrays.asList(spec.getBlockModes())); 227 228 assertEquals(originalCertNotBeforeDate, spec.getCertificateNotBefore()); 229 certNotBeforeDate.setTime(1234567890L); 230 assertEquals(originalCertNotBeforeDate, spec.getCertificateNotBefore()); 231 232 assertEquals(originalCertNotAfterDate, spec.getCertificateNotAfter()); 233 certNotAfterDate.setTime(1234567890L); 234 assertEquals(originalCertNotAfterDate, spec.getCertificateNotAfter()); 235 236 assertEquals(Arrays.asList(originalDigests), Arrays.asList(spec.getDigests())); 237 digests[1] = null; 238 assertEquals(Arrays.asList(originalDigests), Arrays.asList(spec.getDigests())); 239 240 assertEquals(Arrays.asList(originalEncryptionPaddings), 241 Arrays.asList(spec.getEncryptionPaddings())); 242 encryptionPaddings[0] = null; 243 assertEquals(Arrays.asList(originalEncryptionPaddings), 244 Arrays.asList(spec.getEncryptionPaddings())); 245 246 assertEquals(originalKeyValidityStartDate, spec.getKeyValidityStart()); 247 keyValidityStartDate.setTime(1234567890L); 248 assertEquals(originalKeyValidityStartDate, spec.getKeyValidityStart()); 249 250 assertEquals(originalKeyValidityEndDateForOrigination, 251 spec.getKeyValidityForOriginationEnd()); 252 keyValidityEndDateForOrigination.setTime(1234567890L); 253 assertEquals(originalKeyValidityEndDateForOrigination, 254 spec.getKeyValidityForOriginationEnd()); 255 256 assertEquals(originalKeyValidityEndDateForConsumption, 257 spec.getKeyValidityForConsumptionEnd()); 258 keyValidityEndDateForConsumption.setTime(1234567890L); 259 assertEquals(originalKeyValidityEndDateForConsumption, 260 spec.getKeyValidityForConsumptionEnd()); 261 262 assertEquals(Arrays.asList(originalSignaturePaddings), 263 Arrays.asList(spec.getSignaturePaddings())); 264 signaturePaddings[1] = null; 265 assertEquals(Arrays.asList(originalSignaturePaddings), 266 Arrays.asList(spec.getSignaturePaddings())); 267 } 268 269 public void testImmutabilityViaGetterReturnValues() { 270 // Assert that none of the mutable return values from getters modify the state of the spec. 271 272 KeyGenParameterSpec spec = new KeyGenParameterSpec.Builder( 273 "arbitrary", KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_ENCRYPT) 274 .setBlockModes(KeyProperties.BLOCK_MODE_GCM, KeyProperties.BLOCK_MODE_CBC) 275 .setCertificateNotBefore(new Date(System.currentTimeMillis())) 276 .setCertificateNotAfter(new Date(System.currentTimeMillis() + 12345678)) 277 .setDigests(KeyProperties.DIGEST_MD5, KeyProperties.DIGEST_SHA512) 278 .setEncryptionPaddings( 279 KeyProperties.ENCRYPTION_PADDING_RSA_OAEP, 280 KeyProperties.ENCRYPTION_PADDING_PKCS7) 281 .setKeyValidityStart(new Date(System.currentTimeMillis() - 2222222)) 282 .setKeyValidityForOriginationEnd(new Date(System.currentTimeMillis() + 11111111)) 283 .setKeyValidityForConsumptionEnd(new Date(System.currentTimeMillis() + 33333333)) 284 .setSignaturePaddings( 285 KeyProperties.SIGNATURE_PADDING_RSA_PSS, 286 KeyProperties.SIGNATURE_PADDING_RSA_PKCS1) 287 .build(); 288 289 String[] originalBlockModes = spec.getBlockModes().clone(); 290 spec.getBlockModes()[0] = null; 291 assertEquals(Arrays.asList(originalBlockModes), Arrays.asList(spec.getBlockModes())); 292 293 Date originalCertNotBeforeDate = (Date) spec.getCertificateNotBefore().clone(); 294 spec.getCertificateNotBefore().setTime(1234567890L); 295 assertEquals(originalCertNotBeforeDate, spec.getCertificateNotBefore()); 296 297 Date originalCertNotAfterDate = (Date) spec.getCertificateNotAfter().clone(); 298 spec.getCertificateNotAfter().setTime(1234567890L); 299 assertEquals(originalCertNotAfterDate, spec.getCertificateNotAfter()); 300 301 String[] originalDigests = spec.getDigests().clone(); 302 spec.getDigests()[0] = null; 303 assertEquals(Arrays.asList(originalDigests), Arrays.asList(spec.getDigests())); 304 305 String[] originalEncryptionPaddings = spec.getEncryptionPaddings().clone(); 306 spec.getEncryptionPaddings()[0] = null; 307 assertEquals(Arrays.asList(originalEncryptionPaddings), 308 Arrays.asList(spec.getEncryptionPaddings())); 309 310 Date originalKeyValidityStartDate = (Date) spec.getKeyValidityStart().clone(); 311 spec.getKeyValidityStart().setTime(1234567890L); 312 assertEquals(originalKeyValidityStartDate, spec.getKeyValidityStart()); 313 314 Date originalKeyValidityEndDateForOrigination = 315 (Date) spec.getKeyValidityForOriginationEnd().clone(); 316 spec.getKeyValidityForOriginationEnd().setTime(1234567890L); 317 assertEquals(originalKeyValidityEndDateForOrigination, 318 spec.getKeyValidityForOriginationEnd()); 319 320 Date originalKeyValidityEndDateForConsumption = 321 (Date) spec.getKeyValidityForConsumptionEnd().clone(); 322 spec.getKeyValidityForConsumptionEnd().setTime(1234567890L); 323 assertEquals(originalKeyValidityEndDateForConsumption, 324 spec.getKeyValidityForConsumptionEnd()); 325 326 String[] originalSignaturePaddings = spec.getSignaturePaddings().clone(); 327 spec.getSignaturePaddings()[0] = null; 328 assertEquals(Arrays.asList(originalSignaturePaddings), 329 Arrays.asList(spec.getSignaturePaddings())); 330 } 331 } 332
